We are currently have a file server setup with windows 2003 server. I am looking to make this file server more accessable to our users by creating a root folder and putting all departments in one. This way their mapped drive shows all departments, however if you are not in a specific department you will not be able to open one or more of the folders you do not have access too. Right now we have drives mapped by dept, so when dept X needs files from dept Y, a user has to get access to that other dept, wich in turns will re map their shared drive. If anyone can understand this madness or has a better solution for me, please send all comments and HELP.

You can use DFS to solve this issue very easily, however, if you haven't mentioned it, it may be more of a problem to setup for you than you bargain for so that is not simple.

I would suggest that you simply leave it like you have it now for the department drives that are mapping to everyones individual departments.

Create one yes one new letter that will map the additional cross department drives, all department drives do not need to be exposed, it is generally HR, IT, Marketing, etc. There are two ways to do this either create a folder in each department drive that and let the department know that this folder is visible to people outside the department, so if you put something in this folder, it is interdepartmental not intradeparmental any longer.

Bad idea to just map department drives from the root, people are curious and want to see and if wrong permissions are applied, then some people may see things they are not suppose to see.

You seriously may need to implement DFS to accomplish what you really need in my opinion!

That would be how we have it now, however that does not work out. We have some people that work between departments and need each dept access. Our current login script sample is blelow. And yes everyone wants to have the same drive letter or this could be simple.

Right now I run a NT 4 Domain where everyone gets to the shared drive and everyone has rights. The users refer to it S drive because of the mapping. This was not my idea but have lived with it for some time. Having said that, I am migrating to 2003 and will be making major changes to the structure of the shared resource.

Groups will be used to manage security and to make it easier.

From the root of the drive, there will be individual folders as similar to the following.

Administration

Human Resources

Marketing

A group for Human Resources will be created for the same folder name with full rights. However they won't have full rights to Marketing only read rights.

While all users can see the folders, they will have limited or no access to the others listed.

This is one of many ways to do it.

My biggest issue is with everything on 1 server and 24 remote branches when things go down, everybody calls. Worse than a utility company getting calls about the power out. :)

So I will be implimenting servers in strategic locations that can have access to the data quicker for their site. This will reduce traffic on the VPN site to site connection.

Another reason is home directories can be split up for the sites to also reduce traffic especially for the same reason as to reduce bandwidth across VPN connections.

This method won't cause a remapping of the drive. Especially if you have your login script automatically set to the drive and reloaded everytime a user logs in.

Security groups in AD with Share and NTFS permissions alongside your login script will do everything you need. Create a security group for each department...Add your users to each department security group they will need to access files for...Create a single login script for all users that maps to the root as you stated with each of your department folders inside. In the NTFS permissions of each department folder choose the advanced tab and remove the inheritance checkbox...you will need to re-create permissions to the folder for each department security group who needs access to the folder...This is the simplest and most logical way to provide secure access to folder and file shares. Setup all security groups with Read share permission rights. Read rights for security groups that need to view but not edit and modify rights for security groups that need to be able to create folders, edit files and folders under their department folder. Let me know if you have detailed questions..I can write a quick breakdown by department if you can provide that information and define the access type as well. Just let me know. Hope this makes sense!

Why are you using the same drive letter for every department? That seems to be the crux of your issue. Different drive letters for different departments is the quickest solution. There are 26 letters in the alphabet!

You can use DFS to solve this issue very easily, however, if you haven't mentioned it, it may be more of a problem to setup for you than you bargain for so that is not simple.

I would suggest that you simply leave it like you have it now for the department drives that are mapping to everyones individual departments.

Create one yes one new letter that will map the additional cross department drives, all department drives do not need to be exposed, it is generally HR, IT, Marketing, etc. There are two ways to do this either create a folder in each department drive that and let the department know that this folder is visible to people outside the department, so if you put something in this folder, it is interdepartmental not intradeparmental any longer.

Bad idea to just map department drives from the root, people are curious and want to see and if wrong permissions are applied, then some people may see things they are not suppose to see.

You seriously may need to implement DFS to accomplish what you really need in my opinion!

There a numerous ways to approach the problem. Another way is to create a public folder for people to pass information back and forth and keep them totally out of the other folders except the one they need access to.

Just remind everyone that the public folder is unsecure and at any time it can be cleaned out when necessary.

It is very difficult to plan out every scenario but planning is necessary and you can walk through the steps prior to implimenting by listing your groups, rights and security.

Trust me there will always be that one off situation that bites you in the butt. LOL :)

The worst offense in the company is making duplicate files all over the place or like everyone needs one. Kind of digs into longer back up times.

I just tell everyone if they want the files to be protected from others put it on their home directory where no one touches it.

Well that is not good enough, there are many benefits to DFS beyond the one you would like to use it for and once setup properly he will be tremendously happy with it as well. It is not changing the underlying structure of the data at all, it is simply placing a file management software (per se) on top of it to create a better shared network environment using shares.

Plus, you can set it up and not use the file replication feature or set it up and do nothing with it, it doesn't impact anything.

This is something small in the world of network management now and if there are problems with him doing this, then you have a lot of other battles that I would hate to see you dealing with. It's great to have policies and procedures to follow but when it comes to an unwillingness to learn or use technology to the benefit of the company, that is an issue.

100-150 users is a great range to implement DFS. I use to have a document about how I did it at a company but don't have it anymore, solving this problem not implementing actual DFS (there is plenty of stuff out there for that), but honestly it was a bear, it became a major project because of the same thing about not wanting to use DFS, 2 months later, we implemented DFS and it made life easy.

A good reason would be like my situation where I have 24 branches which comprise of Homecare, Private Duy, Hospice, Billing, Accounting, HR and Administration. All branches are running across VPN connections unlike some lucky people where everything is in one building. You really have to manage and control your file access across the VPN connections.

Put all of your eggs in one basket and the whole world comes down instead of half if distributed.

Remember not all networks operate or setup the same way.

Remember setting up a well run network requires the use of brain matter and looking at the big picture with expectations of growth. That is if you only dealing with a small office and you don't have to worry about expanding beyond the building you work in.

Being an IT systems admin requires a lot of thinking out of the box. Jeremy's boss should take note of his suggestion. To many people want to store all and have a single server do everything. Not such a good idea.

1st Post

I have read all the replies for this topic and no one has mentioned Document Management Systems (DMS). Network Shares are not ideal for multi-site organisation. I'm sure we all appreciate how slow file access can be over VPN links especially if you are using the Internet to connect your offices.

Most of the slowness is as result inefficiencies of CFIS protocol which is very chatty.My organisation operates in the Construction industry with 5 offices. London, Scotland, Bristol, Hong Kong, and Spain. We decided to move away from network shares the moment our Bristol and Hong Kong office came online.

First issues we encountered was the availability of drive letters. Secondly, "My Computer" would hang if the remote office WAN connection dropped while trying to access a network drive. Thirdly, NTFS permission became a pain to implement as the company grew and different users required different levels of access. These are one of the many reasons why we have decided to ditch Mapped drives in favour of a document Management system or Enterprise Content Portal.

Just as Mike said, you have to think beyond how your network is set-up now and look at the growth expectations of your organisation. You also have to envision how your many remote sites may want to collaborate in future. Many DMS solutions come with remote Cache Server to give remote offices almost LAN speed access to file.

If your organisation is not ready to invest thousands of $$ then try Alfresco, a free open source Enterprise Content Management Suite.

Currently at my office we use a combination of DFS as well as ABE (Accesss based enumeration) to obtain our goals. We placed all department folder under one share. Using the DFS virtual namespace we map this as a drive to all workstations within our organization and with ABE the users are only able to view the folders that they currently have access to.

DMS Document Management Systems have their value in controlling users and documents. There are tons of reasons to go that route. One is bypassing MS security and using the built in security for access to documents and files from just about anywhere. You also have version controls and the ability to see who is access which documents / files by setting up check out features.

Law firms use it a lot. Is it expensive you bet it can. But much better than throwing files out on a network and everyone trashing up a drive.

DFS is very handy for speed and access of files that better live in the location of the heavy users yet allows others for remote sites to still have access. Kind of a balancing act.

Behind every solution there are gotcha's. You have to way the pro's with the con's.

O, I completely understand and totally agree Mike, I was referring to Michael5895.

DMS has their place but not for this solution, it would be crazy to implement a DMS for file sharing purposes only, it would make matters worse than better. Sometimes things just need to be kept simple.

If you have a DMS for example and there is a problem with that software, then you have no way of accessing files even if the file server is available. I just think sometimes people create a headache where there truly doesn't have to be one.

As I indicated K.I.S.S. this problem and move on, while DMS has their place, it is generally used in larger organizations and often times even their not effectively.

Plus, you want to take people from having difficult with using and managing drive letters to using a DMS, no way, no how, not on my watch!

OK, so in the interest of KISS, why would you create one mapped drive that has ALL the departments under it, in separate folders each with their own NTFS permissions? One slip when you are adding a group, because we don't add users right? and you had better have a list of what the permissions should be. Of course if you never make a mistake then there's nothing to worry about.

I make separate shares for each department, sometimes multiple shares depending on what's needed. If you are not in Purchasing then you don't see it, unless you are browsing the Network Places. This way the Share permissions should match the folder permissions.

I do have two common shares where the sub-folders have custom permissions, so that I don't have to tweak and re-tweak permissions for the main/important shares.

I have one user with 20 mapped drives, all used at least weekly. It used to be a pain but Roaming Profiles really helps.

I would rather have the work on the back end to set up and then KISS for the users. I can see how one drive letter is simple but I just can't agree that it's the right way. Now if their home directory was always the same letter maybe that would make sense, but we don't use home directories either, everything is on the network, in it's rightful place. ;-)